This document describes some important prerequisites as well as the steps for configuring your Cloud Solution Provider (CSP) Microsoft 365 Tenant for integration with Syncro. (For the Syncro-specific integration steps, see Integrate With Microsoft.)

You can either integrate:

• Your Microsoft Tenants in bulk through your CSP Microsoft 365 Tenant credentials and Microsoft Granular Delegated Admin Privileges (GDAP) relationships, or 
• Each Microsoft Tenant as a Single Tenant using a unique Global Administrator account for each individual Microsoft 365 Tenant. 

CSP Integration Prerequisites

Connecting to Microsoft 365 Tenants through a CSP Microsoft 365 Tenant requires specific authenticating user requirements and Microsoft 365 customer tenant relationships with specific GDAP roles.

The authenticating user must:

• Be a CSP Microsoft 365 Tenant Global Administrator, 
• Have AdminAgent privileges,
• Be a member of the AdminAgents Security Group,
• Be a member of the Security Group associated with the appropriately privileged GDAP relationships with the Microsoft 365 Tenant, and
• Be prompted by Entra ID MFA when authenticating. (Microsoft does not allow access to Microsoft 365 Tenants via GDAP using third-party MFA applications.) 

Each Customer Microsoft 365 Tenant must have: 

• A Customer GDAP relationship, 
• A CSP Microsoft 365 Tenant Security Group with the appropriate roles assigned.
• A GDAP relationship with either a Global Administrator privilege or ALL 12 specific privileges assigned.

Tip: You only need to enable a Customer GDAP relationship for the Microsoft 365 Tenants you want to integrate. For example, if your CSP Microsoft 365 Tenant can access 100 Customer Microsoft 365 Tenants and you only want to integrate 75, you'll need to create a Customer GDAP relationship with the desired 75 Microsoft 365 Tenants.

Step 1: Create the Syncro Service Account

First, create the Syncro Service Account so you have an authenticating user that works for the Syncro-Microsoft integration. Follow these steps:

1. Log into the Microsoft Entra Amin Center.
2. From the “+ Add” menu, select User > Create New User:
   
   
3. Enter an easily identifiable User Principal Name (e.g., Syncro_Integration).
4. Enter an easily identifiable Display Name (e.g., Syncro Integration Account).
5. Uncheck Auto-generate Password box. Set a strong Password and save it in a secure location (e.g., a password manager):
   
6. Click Next: Properties.
7. Add any desired additional information for this account.
8. Click Next: Assignments.
9. Click “+ Add Group.”
10. Check the box for the AdminAgents group, then click Select:
    
11. Click “+ Add Role.”
12. Search for and check the box for the Global Administrator role. Then click Select:
    
13. Click Next: Review + Create.
14. Click Create.

Step 2: Configure MFA for the Syncro Service Account

Microsoft requires Entra ID MFA enforcement to access Customer tenants using GDAP relationships. There are two ways to enforce MFA, depending on your Microsoft 365 licensing. 

Conditional Access Policy (Recommended)

Note: You can configure the Conditional Access policy for the Syncro Service Account in accordance with your security policies; however, MFA should always be required.

Assign the Syncro Service Account to a Policy That Requires MFA

1. Log into the Microsoft Entra Amin Center.
2. In the left navigation, expand the Protection section and then select Conditional Access.
3. First, exclude the Syncro Service Account from all existing policies:
   1. From the inner side panel, click Policies. 
   2. Click the Policy Name for a Conditional Access policy shown at the bottom:
      
   3. Click the hyperlinked text in the Users section.
   4. Select the Exclude subtab.
   5. Check the Users and Groups box.
   6. Search for and select the Syncro Service Account.
   7. Click Select.
   8. Appropriately handle the “Don’t lock yourself out message!”
   9. Click Save.
   10. Repeat steps a through j for each Conditional Access policy.
4. Next, create a new Conditional Access policy:
   1. From the inner side panel, click Policies. 
      Tip: Click the “Conditional Access | Policies” breadcrumb at the top of the page:
      
   2. Click “+ New Policy.”
   3. Enter a Name for the policy (e.g., Syncro Service Account MFA Policy). 
   4. Click the hyperlinked text in the Users section.
   5. Select the Include subtab.
   6. Select the “Select Users and Groups” radio button, then check the Users and Groups box:
      
   7. Search for and select the Syncro Service Account.
   8. Click Select.
   9. Click the hyperlinked text in the Access Controls > Grant section:
      
   10. In the right side panel, select the “Grant Access” radio button, then check the Require MFA box:
       
   11. Click Select.
   12. Click Create.

Set the Session Sign-in Frequency

To set the session sign-in frequency, follow these steps:

1. Click the hyperlinked text in the Access Controls > Session section.
2. Check the Sign-in Frequency box, then select the “Every Time” radio button.
3. Click Select.
4. Toggle the “Enable Policy” to the On position.
5. Click Create.

Security Defaults 

We strongly recommend you follow the steps to configure MFA using a conditional access policy as described above. However, if that's not possible, follow these steps: 

1. Log into the Microsoft Entra Amin Center.
2. From the Overview section, select the Properties tab:
   
3. At the bottom of the screen, click the "Manage Security Defaults" link.
4. From the Security Defaults dropdown menu, select Enabled:
   

Step 3: Configure Customer GDAP Relationships

Now you can configure GDAP:

• For individual Customers using Microsoft Partner Center.
• For any or all Customers using Microsoft Lighthouse.